couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zachary Lym (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-2444) Mirror CORS domains
Date Fri, 07 Nov 2014 02:37:34 GMT


Zachary Lym commented on COUCHDB-2444:

No, it will prevent local XSS attacks as it locks down the origin to the domain making the
initial request.  Given how well CouchDB serves as an API backend, I think that such functionality
is highly desirable.

If you must lock it down further, then perhaps you could just restrict CORS auth-functionality
in the same way it's blocked for wildcard domains.  

> Mirror CORS domains
> -------------------
>                 Key: COUCHDB-2444
>                 URL:
>             Project: CouchDB
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: HTTP Interface
>            Reporter: Zachary Lym
> Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring
the caller.  I believe that this is an XSS mitigation technique but it would also allow cookie-based
authentication on domains (which are blocked when a wildcard is used to specify the domains).
> If this capability exists, then it should be documented it in interface highlighted in
the CORS documentation.
> [PouchDB cross-pollination|].

This message was sent by Atlassian JIRA

View raw message